Apple Claims 'Most Significant Upgrade to Memory Safety' in OS History (apple.com) 39
"There has never been a successful, widespread malware attack against iPhone," notes Apple's security blog, pointing out that "The only system-level iOS attacks we observe in the wild come from mercenary spyware... historically associated with state actors and [using] exploit chains that cost millions of dollars..."
But they're doing something about it — this week announcing a new always-on memory-safety protection in the iPhone 17 lineup and iPhone Air (including the kernel and over 70 userland processes)... Known mercenary spyware chains used against iOS share a common denominator with those targeting Windows and Android: they exploit memory safety vulnerabilities, which are interchangeable, powerful, and exist throughout the industry... For Apple, improving memory safety is a broad effort that includes developing with safe languages and deploying mitigations at scale...
Our analysis found that, when employed as a real-time defensive measure, the original Arm Memory Tagging Extension (MTE) release exhibited weaknesses that were unacceptable to us, and we worked with Arm to address these shortcomings in the new Enhanced Memory Tagging Extension (EMTE) specification, released in 2022. More importantly, our analysis showed that while EMTE had great potential as specified, a rigorous implementation with deep hardware and operating system support could be a breakthrough that produces an extraordinary new security mechanism.... Ultimately, we determined that to deliver truly best-in-class memory safety, we would carry out a massive engineering effort spanning all of Apple — including updates to Apple silicon, our operating systems, and our software frameworks. This effort, together with our highly successful secure memory allocator work, would transform MTE from a helpful debugging tool into a groundbreaking new security feature.
Today we're introducing the culmination of this effort: Memory Integrity Enforcement (MIE), our comprehensive memory safety defense for Apple platforms. Memory Integrity Enforcement is built on the robust foundation provided by our secure memory allocators, coupled with Enhanced Memory Tagging Extension (EMTE) in synchronous mode, and supported by extensive Tag Confidentiality Enforcement policies. MIE is built right into Apple hardware and software in all models of iPhone 17 and iPhone Air and offers unparalleled, always-on memory safety protection for our key attack surfaces including the kernel, while maintaining the power and performance that users expect. In addition, we're making EMTE available to all Apple developers in Xcode as part of the new Enhanced Security feature that we released earlier this year during WWDC...
Based on our evaluations pitting Memory Integrity Enforcement against exceptionally sophisticated mercenary spyware attacks from the last three years, we believe MIE will make exploit chains significantly more expensive and difficult to develop and maintain, disrupt many of the most effective exploitation techniques from the last 25 years, and completely redefine the landscape of memory safety for Apple products. Because of how dramatically it reduces an attacker's ability to exploit memory corruption vulnerabilities on our devices, we believe Memory Integrity Enforcement represents the most significant upgrade to memory safety in the history of consumer operating systems.
But they're doing something about it — this week announcing a new always-on memory-safety protection in the iPhone 17 lineup and iPhone Air (including the kernel and over 70 userland processes)... Known mercenary spyware chains used against iOS share a common denominator with those targeting Windows and Android: they exploit memory safety vulnerabilities, which are interchangeable, powerful, and exist throughout the industry... For Apple, improving memory safety is a broad effort that includes developing with safe languages and deploying mitigations at scale...
Our analysis found that, when employed as a real-time defensive measure, the original Arm Memory Tagging Extension (MTE) release exhibited weaknesses that were unacceptable to us, and we worked with Arm to address these shortcomings in the new Enhanced Memory Tagging Extension (EMTE) specification, released in 2022. More importantly, our analysis showed that while EMTE had great potential as specified, a rigorous implementation with deep hardware and operating system support could be a breakthrough that produces an extraordinary new security mechanism.... Ultimately, we determined that to deliver truly best-in-class memory safety, we would carry out a massive engineering effort spanning all of Apple — including updates to Apple silicon, our operating systems, and our software frameworks. This effort, together with our highly successful secure memory allocator work, would transform MTE from a helpful debugging tool into a groundbreaking new security feature.
Today we're introducing the culmination of this effort: Memory Integrity Enforcement (MIE), our comprehensive memory safety defense for Apple platforms. Memory Integrity Enforcement is built on the robust foundation provided by our secure memory allocators, coupled with Enhanced Memory Tagging Extension (EMTE) in synchronous mode, and supported by extensive Tag Confidentiality Enforcement policies. MIE is built right into Apple hardware and software in all models of iPhone 17 and iPhone Air and offers unparalleled, always-on memory safety protection for our key attack surfaces including the kernel, while maintaining the power and performance that users expect. In addition, we're making EMTE available to all Apple developers in Xcode as part of the new Enhanced Security feature that we released earlier this year during WWDC...
Based on our evaluations pitting Memory Integrity Enforcement against exceptionally sophisticated mercenary spyware attacks from the last three years, we believe MIE will make exploit chains significantly more expensive and difficult to develop and maintain, disrupt many of the most effective exploitation techniques from the last 25 years, and completely redefine the landscape of memory safety for Apple products. Because of how dramatically it reduces an attacker's ability to exploit memory corruption vulnerabilities on our devices, we believe Memory Integrity Enforcement represents the most significant upgrade to memory safety in the history of consumer operating systems.
"exploit chains that cost millions of dollars..." (Score:3, Insightful)
The exploit chain does not cost millions of dollars to execute. It's simply the cost to buy the information from the right people. That's like spending four figures for a set of build plans for a coffee table, making the table, and then claiming the coffee table is worth thousands of dollars.
Information can be leaked or "rediscovered" by anyone not trying to run a spyware business and lower that barrier to entry significantly.
Re: "exploit chains that cost millions of dollars. (Score:3)
Re:"exploit chains that cost millions of dollars.. (Score:4, Insightful)
The real question is how much of a performance tradeoff is this or if there's some other catch.
Re: (Score:2)
The Malaysian bot farm hacking your phone can result in dumping private pictures, message history, browser history, political opinions or party affiliations, your kids' school address, work documents, all of which can have real-life consequences. You're AC on this site for a reason, I imagine you don't want your opinions to be tracked to an identity, even if only a pseudonym. Imagine everything you have said, written or done with a phone suddenly published with your name and address.
Re: (Score:2)
I wonder what data are on my phone that the police could and would use against me. I am guessing not very much.
What I would be a lot more concerned about that the police using their access to PLANT data that they could use against me. That's a much more likely problem for me.
I try to mitigate that by not pissing off the police enough for them to bother with effort.
Exactly Forward (Score:1)
I don't give a shit if some Russian/Kazakh/Malaysian bot farmer wants to take over my phone.
So you do no banking on your phone? Unlikely.
For the 99% of people that do in fact use a phone for banking, protection from lower level criminals is invaluable. For most people there is real financial loss possible from a phone being taken over, at the very least to monitor banking access mechanisms.
Re:"exploit chains that cost millions of dollars.. (Score:5, Interesting)
Some companies don't sell you the information. They actually make you buy access to the exploit.
Think companies like Cellebrite - their most advanced hacks cost millions per use - you provide them with the details on how to get at the victim (e.g., phone number) and they deploy their attack on that phone and provide a gateway to access it.
They also sell a box you can use to break in via the USB port, and they charge anywhere from $100K to a million dollars to break into one unit - you buy the license to break into one phone.
They're not selling their exploit chain to anyone - they're keeping it a secret and selling you the effects of that for millions of dollars. Once it's sold it's worthless because like a secret once you tell someone else, it's likely to leak out.
Re: (Score:2)
The claim wasn’t “millions of dollars to execute”. The claim was that the exploits cost millions of dollars. It’s pretty obvious that the bulk of that cost is development and testing.
Re: (Score:2)
Pay no attention to the man behind the curtain. (Score:1)
If you ignore *those* exploits, we're perfectly secure!
Re: (Score:2)
You seem a little dense.
Bet on the hackers (Score:4, Insightful)
Re: (Score:2)
Well, I suppose in the abstract that "someday" is probably correct. But the hackers have had 18 years, to very limited success.
Re: (Score:3)
Not too long. It's defense in depth; it's not meant to be outright impenetrable, just very (very) hard to get through.
Someone with enough drive, enough time, and enough resources will eventually put together an exploit chain that doesn't require an invalid tagged memory access. But if that raises the manpower requirement by 10-fold (to pull a number out of my ass), then it makes it that much more expensive to attack a phone. At some point, the Apple juice won't be worth the squeeze.
History (Score:5, Interesting)
The Lisp Machine operating system, ca 1977, was memory safe. It was written in Lisp, and all memory accesses were run-time type checked. Incorrect accesses, such as data type mismatch, or array bounds, were not possible on the system. However, this was implemented in hardware: it was a tagged architecture where the CPU did the type checking on every instruction in conjunction with the hardware type bits in the memory cells. (Low level software in the implementation refined the type check/dispatch on hardware traps, outside the most primitive types defined in the hardware.)
People should be wary of "IN HISTORY" claims, as they are usually ignorant, especially when unqualified.
Re: (Score:3)
Capability machines and tagged architectures have an interesting history. The first I know of is the Burroughs 6600 from the mid to late '60s: https://en.wikipedia.org/wiki/... [wikipedia.org] Then there's the Intel 432 https://en.wikipedia.org/wiki/... [wikipedia.org] and the short-lived BiiN system that was a successor to the 432: https://en.wikipedia.org/wiki/... [wikipedia.org] But a lot of this dates back (like so much of computing) to Multics and its mandatory access control mechanisms.
Re: (Score:2, Funny)
You should note that this is the first time in history Apple have claimed "first" and "revolutionary" in regards to their tech, so you should forgive them just this once.
Re: (Score:2)
You should note that this is the first time in history Apple have claimed "first" and "revolutionary" in regards to their tech, so you should forgive them just this once.
I think different.
Re: (Score:2)
Sounds like you really would enjoy this book. https://www.goodreads.com/book... [goodreads.com]
All that without the need for a new programming la (Score:3)
Eat that, Rust.
Re: (Score:3, Insightful)
Re: (Score:2)
BTW i still don't understand what's with all the rust hate?
This is from programmers who know C or C++ and are lazy to learn something new. They bash Rust since it is the most viable safe option for domains where C/C++ is used. Part of the "hate" is also that Rust has ownership type system. It is more restrictive than "normal" type system v C/C++. It is harder to use especially if you do not have prior experience with "limiting" languages like e.g. Haskell or Clean.
Re: (Score:2)
I'm not a C/C++ programmer.
Re: (Score:1)
BTW i still don't understand what's with all the rust hate? There are so many programming languages out there. Each have a different purpose, use the right tool for the job, don't be obsessive with a single tool.
To me, the hate on Rust, is about irrevocable change. Once accepted, even if later rejected, you can never go back to what was before. At best, you can start something new, in the spirit of what was. After so much change "what was" hasn't kept up, while not being maintained. You don't see many development choices willing to sacrifice progress, to dust of obsolescence. You could distill this further, to forecasting the direction a change will bring. The change "before you" may not be so bad; but the aftermat
Never? (Score:1)
"There has never been a successful, widespread malware attack against iPhone,"
Bullshit. **cough** Israel's "Pegasus" **cough**
Hell, when Edward Snowden warned that even when you turn off your iPhone, it can be remotely turned back on again by Five Eyes.
Re: (Score:2)
"There has never been a successful, widespread malware attack against iPhone,"
Bullshit. **cough** Israel's "Pegasus" **cough**
I agree that the claim is eye-roll inducing, but you could have at least read the next sentence before replying with the exact thing that it references.
Re: (Score:2)
"There has never been a successful, widespread malware attack against iPhone,"
Bullshit. **cough** Israel's "Pegasus" **cough**
I agree that the claim is eye-roll inducing, but you could have at least read the next sentence before replying with the exact thing that it references.
Would you call Pegasus "Widespread"?
And, IIRC, Apple promptly countered that, and a lot of other Grabby State bullshit, with their Enhanced Data Protection ("Lockdown Mode"), and improvements to its BlastDoor anti-infiltration system.
https://m.economictimes.com/ne... [economictimes.com]
The seem to not know Return Oriented Programming (Score:2)
It is only about 20 years old now...
Can this stop state level spyware? (Score:2)
Can this stop the kind of spyware and exploitation tools that are used by by law enforcement agencies, intelligence agencies and the sort of "secret police" dictatorships use to suppress dissent?
Re: (Score:1)
the sort of "secret police" dictatorships use to suppress dissent?
Are you talking about masked ICE agents?
Re: (Score:2)
Can this stop the kind of spyware and exploitation tools that are used by by law enforcement agencies, intelligence agencies and the sort of "secret police" dictatorships use to suppress dissent?
That sounds like exactly the type of exploitative efforts Apple is trying to thwart with MIE.
Re: (Score:2)
Failed to replace C: A list of memory safety cults (Score:1)
I just want to rub in that this safetysm never works (no matter how much you cry or insult & disrespect real work-a-day coders), has never replaced C, won't replace C, and looks pretty silly in light of all the failures. Academic failures being especially notable and laugh
Sigh. (Score:3)
DEP will save us all from malware ... ...
ASLR will save us all from malware
*insert 20 years of the same*
MTE will save us all from malware
EMTE will save us all from malware